question

TedBot avatar image
0 Votes"
TedBot asked TedBot edited

How to delete CA cert which is expired or not in use

Installed new Policy CA certificate but don't want to use it now - Can this be removed from CA as it not shows in Manage AD containers ..

How to remove this certificate from CA

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Thanks FAN and Crypto -- it worked after renewal of IssCA

0 Votes 0 ·
Crypt32 avatar image
0 Votes"
Crypt32 answered TedBot commented

After publishing to AD PKIVIEW is not reflecting crt, AIA and CDP

it won't until you renew your Issuing CA certificate which must be signed with new policy CA certificate.
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Crypt32 .. it worked

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,

Not sure how your PKI environment is deployed. If possible, you can tell more information about the environment.
Based on my understanding, CA certificate can't be deleted if it was not expired.
Do you want to delete the policy CA certificate from the policy ca or the sub-issue CAs?

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TedBot avatar image
0 Votes"
TedBot answered TedBot edited

Hi FanFan

The certificate was signed from Root and installed on PolicyCA --- After publishing to AD PKIVIEW is not reflecting crt, AIA and CDP-
can we delete the policy CA cert Or revoke this certificate -- and submit "Renew CA Certificate" on PolicyCA and sign new certificate will this resolve the issue --- ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
1, Would you please tell how did you deploy the PKI tier?
First Tier: Root CA (offline or online?)
Second Tier: Policy CA (offline or online?)
Third Tier: Issue CA (online?) domain joined?
2, Do you mean you wanted to renew the PolicyCA certificate, but you select the wrong option "submit the new request"
When you open the Certificate Authority, please check the PolicyCA properties and check how many certificates dispalyed:
89716-4214.jpg
3, You open the PKIVIEW on the issue CA, right? Would you please share a screenshot here? (Please hide the private information)


0 Votes 0 ·
4214.jpg (39.6 KiB)
TedBot avatar image
0 Votes"
TedBot answered TedBot edited

Following steps performed for PolicyCA crt

Renewed CA cert with new key pair
Copied the following files to AD FS location (for CDP/AIA)

C

ertEnroll\IntCA(1).crt
CertEnroll\IntCA(1).crl

Published IntCA to AD FS
c

ertutil -dspublish -f " - " SubCA

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TedBot avatar image
0 Votes"
TedBot answered FanFan-MSFT commented

89720-intca.jpg



intca.jpg (31.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
As Cryptt32 said, it won't refresh until you renew your Issuing CA certificate which must be signed with new policy CA certificate.
Best Regards,

1 Vote 1 ·